You can disable the use of CRLs by setting the disable-crls attribute of the ca-certificate element to "yes".

Note

CRL usage should only be disabled for testing purposes. Otherwise it is highly recommended to always use CRLs.

Also define the LDAP server(s) or OCSP responder(s) used for CRL checks. Defining the LDAP server is not necessary if the CA certificate contains a CRL distribution point extension.

If the CA services (OCSP, CRL) are located behind a firewall, define also the SOCKS server in the ssh-broker-config.xml file. The SOCKS server is defined inside cert-validation with the socks-server-url element.